Comment by Terr_
21 hours ago
> Exactly how does Microsoft's device identifier get associated with the ngrok session
The article has a link to "39-page criminal complaint" PDF, and I'd summarize the prosecution's claims (from sections 21.e, 22, 26) as:
1. The ngrok client was downloaded onto hardware owned by the victims and used by the attacker.
2. The client was later discovered along with an ngrok auth token. (2x0b1363KPV35LCUuZCkJag0G84_2btDjSM5oY82TQuiLZvaz)
3. The ngrok auth data was linked to an ngrok account. (ac_2x0b16MSTJk4PvjLZMoqt4vOvZM)
4. Although a VPN was used by whomever created the ngrok account, the creation-time of the account correlates to Microsoft's telemetry, which indicates that the accused's computer was visiting ngrok sign-up pages.
Thanks. (4) is the critical piece here.